[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A pothole in ISAKMP/Oakley

To: pau@xxxxxxxxxxxxxx
Subject: Re: A pothole in ISAKMP/Oakley
From: Derrell Piper <piper@xxxxxxxxx>
Date: Tue, 15 Apr 1997 11:38:38 -0700
Cc: ho@xxxxxxxxxxxxx, Dan.McDonald@xxxxxxxxxxx, ipsec@xxxxxxx
In-reply-to: Your message of "Tue, 15 Apr 1997 13:25:16 EDT." <>
Sender: owner-ipsec@xxxxxxxxxx

> > > I will note, however, that if the SPI's are pseudo-randomly generated,
> > > as is required by the spec, then the probability of using the same SPI
> > > twice should be extremely low.  So the implementations that revealed
> > > this problem were defective.
> > 
> > Hilarie is right.  SPI values must be {pseudo-,}randomly generated, if I
> > remember the specs correctly.  Implementations that do otherwise are probably
> > broken.
> 
> Dan, the spec does say so. But if an implementation uses a montonically
> increasing counter to generate SPI's for ESP and AH, it can interop with
> others. So I think it is worthwhile to put in a safeguard.
> 
> Also, I would like to emphasize that Ran's msg is about QUICK Mode
> KEYMAT derivation in Phase 2.  It is NOT about Phase 1.

Correct me if I'm wrong, but there's no longer any security basis for
having the Phase 2 SPI's be pseudo-randomly generated.  In fact, there were
implementations at the IPSEC bake-off that used monotonically increasing
SPI's.  This argues for fixing this in the protocol.

On the other hand, this is not a problem if you're doing the combined ESP
for authentication, as you wouldn't then have a separate SA for an AH key.
I think this is the normal case.

I would like to reitterate what Douglas Maughan pointed out at the
implementor's discussion last week, which is to remind everyone that the
ISAKMP framework is specifically designed to accomodate multiple and
divergent key exchange protocols.  This allows us to cleanly define a new
key exchange identifier in the future with fixes for "problems" like this.
This might also include the performance improvements requested by Hugo.

I don't think this is worth reopening the document to fix.  I'd like to see
it corrected in the next rev of the protocol, which should have a new key
exchange identifier in the IPSEC DOI.  In the mean time, the suggested use
of pseudo-randomly generated Phase 2 SPI's remains a useful recommendation.

Derrell, last seen rooting around his office for the Nomex suit...

References:
- Re: A pothole in ISAKMP/Oakley
  - From: pau

Prev by Date: Re: A pothole in ISAKMP/Oakley
Next by Date: Re: A pothole in ISAKMP/Oakley
Previous by thread: Re: A pothole in ISAKMP/Oakley
Next by thread: Re: A pothole in ISAKMP/Oakley
Index(es):
- Date
- Thread